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ABSTRACT 


Historically, cyber-attacks targeting eomputer networks have sometimes favored 
the attaeker over the defender, resulting in great loss of information or denial of serviee. 
This thesis investigates the possibility that short-term eyber-attaeks on network supply 
ehains may conceal more sinister plans to destroy the long-term operational effectiveness 
for supplying goods during periods of eritieal needs. Using a life-cyele approaeh, 
quantifiable metries were used to eompare short-term risks with long-term risks in a 
network supply ehain to establish the existenee of blaek swan events. 
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EXECUTIVE SUMMARY 


Historically, cyber-attacks on computer networks have favored the attacker (Red) 
over the defender (Blue), often resulting in loss of data and compromising the Blue’s 
ability to maintain eontrol of its network operations. Deteeting malicious software in 
monitored, secure environments has proved quite challenging, generally lagging the 
diseovery of consequenees of the eyber-attack(s) (e.g., data that was stolen). Although 
eomputer network operators (Blue) have been very aggressive in responding to cyber- 
attaeks once the consequences have been observed, the short-term response of the 
network defenders has foeused on a quick response with security updates to prevent that 
attaek from happening in the future. Blue’s objective is to return the network to fully 
funetioning operations by regaining explicit, non-compromised “control” of the network 
for Blue. 

This thesis poses the possibility that Red’s short-term cyber-attacks may be 
harbingers of more sinister plans to destroy the operational effectiveness of network 
operations, (i.e., a supply chain planned to meet critieal operational needs of commereial 
or military operations). In this regard, some of Blue’s best practices against cyber-attacks 
may have the intended effect of allaying short-term anxieties, yet pose grave risks for 
unexpeeted events on a long-term basis. This thesis answers the important question: how 
ean short-term responsiveness to cyber-attaeks on supply chains boost long-term dangers 
of black swan events meant to destroy supply chain effectiveness for a eritical period? 
The investigation adopts a life-cycle approaeh to analyze the funetions and proeesses 
within a network supply ehain to determine the changes in management metrics for short¬ 
term and long-term risks. We analyze long-term risks in terms of black swan events to 
determine their origins in short-term cyber-attaeks. As proposed by Nickolas Taleb 
(2010), black swan events are those that although improbable—^with a probability of 
occurrence of less than 5%—onee they occur their effeets can be catastrophic. These 
events are labeled as improbable beeause eurrent statistical models have them fall greater 
than four standard deviations outside the normal distribution. Henee, these events are 
considered as outliers and are therefore ignored in all standard risk assessments. 


XV 



The supply chain is defined as “physical and logical flow of goods, information, 
processes, and money, upstream and downstream through a supply chain. They may 
include supply chain nodes, locations, delivery paths, or transactions,” (NIST 800-161 
2015, F6). Supply chain management has long been involved in the management of 
acquisitions, support, and logistics for goods and services. The evolution of the supply 
chain now extends to distribution networks, information management, customer support, 
and logistical activities. Cybersecurity issues in the supply chain have compelled 
government and commercial entities to allocate significant time and money to attempt to 
cope with the potential of mission degradation caused by the susceptibility of the supply 
chain to threats and the vulnerable supply chain processes. Most of the “fixes” 
implemented by commercial and governmental entities are short term. 

Short-term responses by Blue to a cyber-attack are defined in this thesis as those 
involving an immediate response to thwart or observe, and corrective action to ameliorate 
a newfound vulnerability. Long-term views and strategies of Blue are those that over time 
may pose catastrophic effects when not addressed adequately in the short-term when 
there is time to correct structural problems in architecture and assess the vulnerabilities 
and susceptibilities. A short-term cyber-attack that has long-term vulnerability potential 
with catastrophic consequences was the attack on the U.S. Office of Personnel 
Management (0PM) (Committee on Oversight and Government Reform 2015). Stuxnet 
is another example of how a short-term attack can have long-term implications. Stuxnet is 
known as an attack to a government infrastructure with the intent to degrade (long-term 
effect) the capability of Iran to enrich weapon-grade uranium (Kushner 2013). 

Under the assumption that Red’s intent is to introduce some sort of stressor or 
stimulus with the ultimate goal of gaining insight of an organization’s internal process 
that generate a particular observable. Blue is resource constrained while Red’s attacks are 
numerous with unlimited resources. Red may be not be looking for a specific observable 
but rather just looking for what are the observables generated by the attack. The model is 
represented graphically in Figure A. In the short-term model. Blue does not recognize the 
long-term implications or relationship between attacks. 
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Critical Processes 
Process 1 
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Process N 


Inside the Organization, 
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Feedback 


Observable 1 


Observable 2 


Observable N 


Figure A. Illustration of the Multitude of Attacks and Observables to Take into 
Account in the Supply Chain. 


Orlik and Veldkamp define a black swan event as one that exhibits uncertainty 
fluctuations caused by “time-varying risk of unobserved tail events” (2015, 2), in other 
words a “conditional probability of a rare event” (2015, 4). These “tailed” events relate to 
the thickness of the expected distribution tails, also known as skewness. Such fluctuations 
assume that the true distribution of supply chain vulnerabilities occur as unknowns. The 
significant contribution of Orlik and Veldkamp was to explain large fluctuations in 
uncertainty due to changes in the likelihood of events that were distributed far from the 
mean of the data (2015). Through a careful analysis of the causes of statistical 
significance, it was not the changes in the variance in the data that was the culprit but 
rather the time-varying risk of the unobserved tail events, which are also known as black 
swans. “Thus, everyday fluctuations in a data series can produce large fluctuations in 
conditional variance for an agent who is constantly re-estimating the tails of the 
distribution” (Orlik and Veldkamp 2015, 1). 

For long-term objectives. Red will generate one attack (Attack 1) on the system 
that eventually causes Blue to respond and cause an external observable (Observable 1). 
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Observable 1 is monitored and fed back (Feedback 1) to Red. Red in turn generates 
subsequent attacks (in a series, parallel, single, or simultaneous) denoted as Attack N, 
which generates an Observable N, and fed back N number of times. The process 
continues where Blue may not notice the interrelation between the attacks. At a future 
time. Red decides to initiate all or a series of attacks to attain an effect (black swan) to 
case mission degradation. Notice the difference in the feedback loop in the long-term 
versus short-term objectives. For long-term objectives, the feedback provides the initial 
conditions for the next attack. The short-term objective feedback provides an observable 
for Red, and it ends there. From Blue’s perspective, the multiple attacks may not be 
related. The long-term model is represented graphically in Figure B. 
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Process 1 
Process 2 
Process N 


Inside the Organization, 
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Feedback 1 


Feedback N 
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Figure B. Long-term Model Illustration of the Multitude of Attacks and 
Observables on the Supply Chain. 

From the supply chain’s short-term and long-term perspective, once Blue 
determines that a problem is detected in the type of goods that are planned to be transited 
to a location with an urgent need and has determined mitigating measures for all 
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identified risks, then the likelihood and consequenee can be recorded in risk register for 
traceability of risks and their associated ratings (DASD[SE] 2015). 

Long-term views must consider the short-term metrics and how a combination of 
those metrics may provide the big picture of what will be the black swan event (Red’s 
long-term objective). Blue must use the tools and metrics provided in this thesis together 
with external process (e.g., organizational audits, health assessments) to attempt to 
identify those long-term black swan events. The idealization of a supply chain black swan 
caused by Red, posed as the premise of this thesis, substantiates the notion that short-term 
cyber-attacks can indeed be considered as precursors for long-term problems. 
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I. 


INTRODUCTION 


Systems engineering spans the life-cycle of products and services, encompassing 
conceptualization, development, integration, operations, sustainment, and disposal. Once 
a service has been placed into operations, goods are moved through a chain that supplies 
and provides services to customers. This supply chain is defined as “physical and logical 
flow of goods, information, processes, and money, upstream and downstream through a 
supply chain. They may include supply chain nodes, locations, delivery paths, or 
transactions,” (NIST 800-161 2015, F6). Since the introduction to supply management 
by Frederick Taylor in 1911 (Taylor 1911), supply chain management has long been 
involved in the management of acquisitions, support, and logistics for goods and services. 
The evolution of the supply chain now extends to distribution networks, information 
management, customer support and logistical activities. Supply chain management has 
developed into its own field, now addressing vulnerabilities to physical and cyber-attacks 
in the private, commercial, and government sectors (Warren et al. 1990; Shackleford 
2015). 

Defining military and commercial readiness in terms of available resources to 
operate in both normal and unforeseen situations challenges the means of providing 
defense-critical goods and services through a network of suppliers. To underscore the 
need for a robust and resilient supply chain in spite of the complexities of supply chain 
management, the susceptibilities and vulnerabilities of supply chains, coupled with the 
added complexities of cybersecurity, poses new challenges to readiness. Cybersecurity 
concerns are prominent, as shown in Internet and news media headlines of companies 
(i.e.. Target Inc., Home Depot, and the Office of Personnel Management (0PM)). In 
hundreds of examples, “secure” networks were hacked and sensitive information was 
compromised and stolen to gain access to economic, military, and private data (Krebs 
2014). For the United States (U.S.) Department of Defense (DOD), cybersecurity is 
defined as the “prevention of damage to, protection of, and restoration of computers, 
electronic communications systems, electronic communications services, wire 
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communication, and electronic communication, including information contained therein, 
to ensure its availability, integrity, authentieation, eonfidentiality, and nonrepudiation” 
(DOD 2014a, 55). When eyberseeurity is inadequately implemented, the short-term 
implieations ean be eatastrophie—from loss of eustomer privaey data to mission failure 
due to degradation of eapability and effeetiveness of the supply ehain. 

Seeurity against eyber threats has grown to beeome a top eoneern for the military, 

government offieials, eorporations, and individuals. In an effort to address the multitude 

of eyberseeurity ineidents that have weakened the eountry’s eritieal infrastrueture. 

President Baraek Obama signed Executive Order No. 13636 in February 2013. This order 

direeted the inerease of shared eyberseeurity information with the private seetor, 

aeeomplished by deelassifying federal eyberseeurity reports and making them available 

for private use. The rationale provided in the order was that the private seetor would be 

better proteeted and able to defend itself against eyber threats by bringing forward 

voluntary information. This voluntary information should eonsist of eyber related 

institutional lessons learned, assessments and implementation of eorreetive aetions, 

whieh the goal of providing transpareney. The Exeeutive Order tasked the Department of 

Commeree’s National Institute of Standards and Teehnology (NIST) with developing the 

meehanism to eonsolidate inputs from organizations, inside and outside the government, 

to develop standards and best praetiees for improving the infrastrueture. Other issues 

addressed in Exeeutive Order 13636 inelude safeguarding privaey, auditing eurrent 

eyberseeurity doetrine, and eneouraging the private seetor to join the framework ereated 

by NIST (2013). Further, The National Defense Authorization Aet (2013) for Fiseal Year 

2014, §937, ealled for the establishment of a “joint federation of eapabilities” to ensure 

seeurity of DOD software and hardware. In response to the 2013 aet. United States 

Deputy Seeretary of Defense (2015) Robert Work signed Poliey Memorandum 15-001, 

whieh authorized the ereation of the Joint Federated Assuranee Center (JFAC). The 

Deputy Seeretary of Defense (2015) stated that the JFAC would be implemented by the 

Offiee of the Underseeretary of Defense for Aequisition, Teehnology, and Fogisties 

(DASD[SE]). The Underseeretary of Defense deseribed the purpose of the JFAC as 

providing support to program offiees through their aequisition life-eyeles to implement 
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future policies as well as software and hardware expertise in the form of standards, 
requirements, best practices, contracting, training, and testing (DASD[SE] 2015). On 
February 9, 2015, Deputy Secretary of Defense Robert O. Work signed the charter for a 
new organization (Hurt 2015). At the time of publication, the official JFAC website was 
not available. 

To underscore the similarities between commercial and military supply chain 
issues, problems, and management. Dr. Kristine Feiphart from Rand Corporation, writing 
for the Army Fogistics University, reiterated that, “Military logistics and commercial 
logistics are parts of the same industry” (Feiphart 2001). The national infrastructure 
networks that support supply chains for both military and commercial uses may be 
stressed at some point, so that the military supplies might jointly use public assets or in 
critical circumstances take priority over supply of commercial goods. The same concerns 
to reduce inventory, use technology to improve efficiency, outsource to certain vendors, 
use commercial rates for some military supplies, and to thwart cyber-attacks on the 
commercial supply chain infrastructure are akin to deterring cyber-attacks on the military 
supply chains. 

Cybersecurity issues in the supply chain have compelled government and 
commercial entities to allocate significant time and money to attempt to cope with the 
potential of mission degradation caused by the susceptibility of the supply chain to 
threats and the vulnerable of the supply chain processes. Most of the “fixes” implemented 
by commercial and governmental entities are short term—to sustain the movement of 
goods to maintain the utility of the supply chain. Fong-term effects are presumed to be 
accommodate by the current best practices of supply chain management (i.e., concerned 
with focused logistics, precision and velocity, coordinated delivery schedules, fast and 
flexible distribution, and good infrastructure and equipment at distribution centers 
(Feiphart 2001). Appendix A contains DOD and commercial short-term vulnerability 
management frameworks and initiatives. 
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A. 


PURPOSE OF THESIS 


The purpose of this researeh is to develop a framework of thinking about 
cyberseeurity in both the short term for responding to immediate problems and in the 
long term to treat the short-term problems as a means to strueture eyber-attacks that may 
disrupt or ineapacitate the flow of goods. 

B. PROBLEM 

Suceessful cyber-attacks are inherently disruptive. The means of disruption can 
range from extracting data and information about what is moving through the supply 
chain, how the movement of goods is managed, and to include shutting down complete 
operations. The efforts to maintain cyberseeurity are seemingly frustrated by legacy 
systems that are incompatible with modem technology, inadequate recognition of the 
sophistication of the cyber threats, and detection of the most insidious threats that are 
quiescent until activated later. Continuing to deal with cyber-attacks as short-term 
“inconveniences” that dismpt “smooth” operations in a supply chain, may prove 
insufficient for long-term supply chain effectiveness. Without effective movement of 
goods through supply chains, customers and users of these goods may find themselves 
without access to those goods during periods of critical operational requirements. Both 
commercial and military supply chains may fail when they are most needed. The problem 
is without the required goods from supply chains organizations may fail to accomplish 
strategic or mission objectives, resulting in catastrophic losses. 

C. RESEARCH QUESTION 

How can short-term responsiveness to cyber-attacks on supply chains boost long¬ 
term dangers of black swan events? A short-term metric that is monitored for missing 
items in a shipment to a particular location may be interpreted as a need to resend the 
missing items to that location. The cause and effect are assumed to be that an item was 
missed when loading the vehicle for transit. However, if the result of a cyber-attack was 
intentionally to deceive the management of the flow of goods in the supply chain, then 
the cause may have been to ship the missing item intentionally to another location and 
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then gauge the response of the network eontrol. If the network eontrol responded by 
simply rerouting the “missing” item to its “proper” location, then the cyber-attack may 
have established a long-term means of shipping all items to wrong locations and therefore 
all parts will be “missing.” 

D. APPROACH 

The investigation adopts a life-cycle approach from systems engineering to 
analyze a network supply chain in terms of its processes and functions. Functions are 
quantifiable and therefore can be cast into management metrics to help identify short¬ 
term and long-term risks. These metrics are developed to analyze long-term risks in terms 
of black swan events to determine their origins in short-term cyber-attacks. As proposed 
by Nickolas Taleb (2010), black swan events are those that although improbable, with a 
probability of occurrence of less than 5%, once they occur their effects can be 
catastrophic. These events are labeled as improbable because current statistical models 
have them fall greater than four standard deviations outside the normal distribution. 
Hence these events are considered as outliers and are therefore ignored in all standard 
risk assessments. 

This study addresses the methodology needed to harden the supply chain to 
mitigate the vulnerabilities associated with the cybersecurity supply chain. This was 
accomplished by studying and gaining an understanding of the top-level overarching 
Executive Order 13636 (2013), the subsequent documents that have supported it, and by 
understanding cyber-attackers’ short-term and long-term objectives. 

The purpose of Chapter II is to establish a baseline to identify the processes in a 
generic supply chain. This was accomplished by introducing the concept of conventional 
supply chains, their importance and by defining supply chain functional and behavioral 
boundaries. With the ultimate goal of determining functional performances and their 
quality attributes, as well as defining a supply chain as a network of things. Current DOD 
and commercial industry efforts regarding cyber-supply risk as well as their applicability 
to cybersecurity are presented, together with frameworks and initiatives for supply chain 
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vulnerability management. In addition, Chapter II contains the DOD’s promulgated 
supply chain vulnerabilities and explains what makes them so unique as well as why 
current methodology may not address the cyber threat. All of these efforts and initiatives 
were leveraged to better understand the problem. 

After compiling the material for Chapter II, it became clear that issues in the 
current supply chain methodology revolved around short-term techniques that 
subjectively enumerate, rank, and then assign impacts and consequences. In addition, 
most mitigation strategies focused on short-term solutions. Chapter III introduces the 
concept of black swan theory as it applies to long-term effects and the proposed long¬ 
term model and the nature of hardening supply chains by applying the long-term model. 

E. LIMITATIONS AND ASSUMPTIONS 

This study was conducted from the supply chain perspective. Although 
cybersecurity is discussed in this thesis, the intent is not to dwell on the technological 
details associated with cyber-attacks, but rather provide a holistic approach to harden the 
supply chain in the short term and long term. Due to the proprietary nature of 
cybersecurity risk management and lack of publicly available data, the literature review 
was conducted from officially released public sources using both private sector and 
government documents. 

Specific stakeholders were inferred from federal and private sector instructions 
and regulations. These stakeholders include government and private sector organizations 
that are susceptible to supply chain cybersecurity threats. 

For the purposes of this thesis, supply chain vulnerability is that which can lead to 
business risk. The Blue perspective (Blue) is defined as the organization or industry 
trying to harden its supply chain from cyber-attacks. The Red perspective (Red) is the 
attacker, trying to gain access to the system to control or gain valuable information. From 
Blue, the agent is operating from the inside looking out. Red is trying to gain access to 
Blue’s resources from the outside looking in. Blue and Red are analyzed from the 
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perspectives of short-term and long-term views. The short-term and long-term views are 
nothing less than short-term and long-term objectives. 


F. SHORT-TERM AND LONG-TERM VIEWS 

Blue vulnerability to Red cyber-attacks can have short-term or long-term 
consequences. Short-term vulnerabilities (e.g., tampering, theft, unauthorized production, 
counterfeits, poor manufacturing (NIST 800-161)), come with consequences that can be 
remediated and goods flow with most likely only a few encumbrances. Long-term 
vulnerabilities include reduction of the ability to complete overall mission (e.g., loss of 
ships in a squadron, manufacturing and or delivery of parts for weeks and months at a 
time), with consequences that will perhaps require substantial rework, reorganization, and 
changes in infrastructure. Regardless of the terminology of short term or long term, 
supply chains can be damaged sufficiently by cyber-attacks so that they become useless 
in critical situations (i.e., when the supplies are needed to avoid harm because of lack of 
goods). Blue supply chain managers need to assess short-term vulnerabilities to 
determine if there are also long-term consequences that may aggregate to disrupt the 
supply chain over a longer period. Further, cyber-attacks may appear to be of a particular 
nature that has a short-term fix, while in fact the cyber-attack might also be geared to set 
the stage for a more insidious attack that completely disrupts the supply chain during an 
urgent and very critical situation. The short-term remediation may portend long-term 
problems for Blue that could arise on a future date certain or be triggered by another 
seemingly short-term cyber- or physical attack that cause overall mission failure. 

An example of a short-term cyber-attack that opens up a potential long-term 
vulnerability with catastrophic consequences is the attack on the U.S. Office of Personnel 
Management (0PM) (Committee on Oversight and Government Reform 2015). More 
than 22.1 million current and former federal employees (Naylor 2015) data on Standard 
Form 86 (https://www.opm.gov/forms/standard-forms/) was exfiltrated—meaning that 
the data was removed from the network by the adversary who took it (Committee on 
Oversight and Government Reform 2015). In addition, data on the contractors and 

suppliers for the DOD on Standard Form 18 were also disclosed in a separate cyber- 

7 



attack (Committee on Oversight and Government Reform 2015). The same group of 
Chinese haekers assoeiated with the Chinese Red Army was implieated in all of these 
eyber-attaeks and data were exfiltrated by the same Chinese haekers assoeiated with the 
Chinese Red Army (Committee on Oversight and Government Reform 2015). The short¬ 
term response is for Blue to shore up eyberseeurity by upgrading servers, applying new 
security measures to restriet aceess, and to put in plaee more sophistieated software to 
determine if a breaeh has oceurred. The data breaehes of these federal data bases lasted 
upwards of 150 to 200 days (Committee on Oversight and Government Reform 2015). 
Red first penetrated the security systems of the contractors with cyber-attacks that 
provided inputs to the 0PM, and then used their knowledge to exfiltrate information on 
people and suppliers in the DOD supply ehains. The long-term vulnerability may be from 
malieious software eode that remains on the data servers until aetivated (later). Imagine 
integrating data for suppliers involving movements of DOD personnel in a massive 
assessment of supply ehain readiness to deliver goods, assessment of eapability to deliver 
goods, and responsiveness to cyber-attack. By potentially malieious management through 
a Red cyber-attack, the movement of goods in proper numbers to proper destinations 
could be coopted. The supply ehain would initially appear to be operating as normal, but 
when the wrong shipments begin to arrive at their unintended destinations, the extent of 
the damage will be realized by Blue. Valuable time will have been lost for Blue, and Red 
may have perpetrated a massive disruption of a vitally needed military supply effort. By 
its nature, the short-term view necessarily must foeus on the immediate shipment of 
good, whereas, the long-term view requires a broader look at the totality of possible 
consequences. The long-term view of Blue is neeessarily a systems view where methods 
and tools of systems engineering lend themselves to supply ehain planning, analysis, and 
sustainment (Childerhouse 2011; Tsai 2011; Pistikopoulos et al. 2011). 

Short-term responses by Blue to a eyber-attaek are defined in this thesis as those 

involving an immediate response to thwart or observe, and correetive aetion to ameliorate 

a newfound vulnerability. A typical short-term view of Blue is one that normally involves 

widely used risk management tools and teehniques (quantitatively and qualitatively) and 

mitigation strategies. Short-term fixes that control the physical movement of goods 
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normally involve software and or hardware patches, firing underperforming suppliers, 
repairing failed manufacturing equipment, rerouting delayed packets, assigning an 
alternate platform in lieu of damaged or platforms under repair. Red’s goal could be to 
gain control of a computer(s) that controls or leads to control of Blue’s supply cham(s). 
For short-term objectives. Red may want to degrade the supply chain so that Blue would 
need to spend more time and money but without Blue being able to identify Red. Short¬ 
term attacks that are left unchecked by Blue can lead to mission failure. Such is the case 
with Stuxnet. 

Stuxnet is a highly recognized and known attack to a government infrastructure 
with the intent to degrade the capability of Iran to enrich weapon’s grade uranium 
(Kushner 2013). The computer worm of 500 kilobytes software code, with the capability 
of replicating itself, was installed in the control system that managed the centrifuge farm 
(Kushner 2013). According to Kushner, the worm targeted the plant’s computers 
operating system to multiply and reach across multiple computers, infected the software 
used to operate the plants equipment, and then controlled the digital computers used for 
plant’s automation to increase the speed to the centrifuges just enough to increase their 
maintenance, removal, and replacement. The Stuxnet worm did not require an intranet 
connection, something as simple as a portable drive could be used as the insertion device 
into the system spreading the worm to other computers via the intranet without user 
intervention. Further, the Stuxnet worm sent confusing signals to other computers in the 
system so that its masquerade could continue by using digital certificates to trick the 
operating system into accepting its executions as a legitimate program from a trusted 
source. The result was catastrophic failure with reduced capability and effectiveness. 

In the military case. Red’s objectives could be to obtain and modify information 
about accessing the supply chain’s management processes for sort term and long-term 
processes. Short-term disruptions of Blue could also be considered to be information 
gathering to facilitate Red’s long-term objectives (i.e., to prepare long-term strategies for 
catastrophic failure of Blue’s supply chain). 


9 



Long-term views and strategies of Blue are those that over time may pose 
eatastrophic effects when not addressed adequately in the short-term. The intention is for 
Blue to take advantage of the short-term knowledge when there is time to correct 
structural problems in architecture, assess the vulnerabilities and susceptibilities. That 
also leaves Blue time to evaluate the alternative strategies and means of protecting data 
and information. Datum is a quantity or quality that is measured, assigned, or computed. 
Information is the correspondence between datum and context. The Red long-term view 
is to cause Blue to have catastrophic mission failure(s), whereas the Red short-term view 
may be simply to degrade. 
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II. SUPPLY CHAIN MANAGEMENT, VULNERABILITY, 

AND RISK 


Managing the flow of goods in anticipation of cyber-attacks on a short-term basis 
requires specific attention to the network of stakeholders in the supply chain, their 
assurance policy and procedures for protecting both information essential to supply chain 
security and for accessing the controls, planning, architecture, communications, 
commands, and stakeholder intentions. Prohibiting, responding, or observing cyber¬ 
attacks are the responsibilities of supply chain management. 

The Council of Supply Chain Management Professionals (2013), the leading 
industry association that sets standards and provides professional training and 
accreditation, defines supply chain management as follows: 

The planning and management of all activities involved in sourcing and 
procurement, conversion, and all logistics management activities. 
Importantly, it also includes coordination and collaboration with channel 
partners, which can be suppliers, intermediaries, third-party service 
providers, and customers. In essence, supply chain management integrates 
supply and demand management within and across companies. Supply 
Chain Management is an integrating function with primary responsibility 
for linking major business functions and business processes within and 
across companies into a cohesive and high-performing business model. It 
includes all of the logistics management activities noted above, as well as 
manufacturing operations, and it drives coordination of processes and 
activities with and across marketing, sales, product design, finance 
and information technology. (187) 

This definition implies that the important aspect of managing the supply chain is 
mainly driven by supply and demand. One aspect that the council does not define is how 
the quality of produced items or processes are assessed to certify they have not been 
compromised. 

Zsidisin and Ritchie (2008) define supply chain vulnerability management as the 
implementation of strategies to manage vulnerability along the supply chain. They argue 
that vulnerabilities can be mitigated with continuous monitoring, assessment, and 

effective corrective actions, with the ultimate objective of reducing vulnerability and 
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ensuring continuity in the supply chain. When comparing the definitions of supply chain 
management by Zsidisin and Ritchie (2008) and the Council of Supply Chain 
Management Professionals (2013), Zsidisin and Ritchie’s definition seems better suited 
to the needs and requirements of the cyber supply chain because it addresses mitigation 
of vulnerabilities through continuous monitoring and assessment. 

The definition from Council of Supply Chain Management Professionals implies 
that supply chain management is reactive to changes in supply and demand. Today, due 
to the complexities involved with purchasing, warehousing, controlling stock, and 
emerging cyber threats, the supply chain has evolved, and the analysis of its vulnerability 
requires a more rigorous approach. 

A. CONVENTIONAL SUPPLY CHAIN 

The typical supply chain used for commercial and military activities is comprised 
of multiple process flows: information, goods, packaging material, transportation, and 
funds (Scott et al. 2011). The supply chain is normally driven by either product supply or 
customer demand. Supplying the product before or just when the customer needs the 
product (i.e., product supply) is typical of routine customer demand, sometimes 
accelerated by nominal changes in need (Scott et al. 2011). The product supply approach 
presumes there is both an insufficiency of storage space at the delivery site and that the 
customer demand is matched with the production and customization, if any. In other 
words, the supply chain that supplies products before the customer has the actual need, 
helps moderate the amount of money tied up in goods in transit that cannot be sold or 
used and obviates the need for inventory storage beyond what needs to be accommodated 
to match with sales or use. In contrast, a supply chain that is customer driven may need to 
have been customized or some form of modification to satisfy details needed by the 
customer (Scott et al. 2011). Figure 1 shows a basic supply chain with flows of 
information (customer’s order), funds (customer’s payment), and the supplier’s product 
delivery. In this particular figure, the product is tea or coffee. 
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Figure 1. The Simplified Supply Chain for Tea or Coffee. Souree; Seott et al. 

( 2011 ). 


Onee the order is reeeived from the eustomer or generated internally by the 
souree, (i.e., the entity that supplies the good, the souree makes the deeision to make— 
build to stoek; make—build to order; make—engineer to order; buy to stoek; have built 
to stoek; or have engineered to stoek). The “make” deeisions are premised on having all 
eomponents, whereas the “buy,” “have built,” and “have engineered” deeisions are 
necessary when source supplier does not have the necessary components in stock. 

In the short-term view, management of the flow of goods is paramount—ensuring 
production and distribution satisfies demand. Cyber-attacks can gather information by 
which to harass, embarrass, or disrupt. All such acts can take substantial resources to 
counter, and if the long-term view is not reflected in the assessment and evaluation of 
Red’s intentions, then management will tend to focus on exactly making and moving 
goods to placate customers and users. 

B. SUPPLY CHAIN’S FUNCTIONAL AND PROCESS DESCRIPTION 

According to the Supply Chain Council the functional aspects of the supply chain 
are modeled in the Supply Chain Operations Reference (SCOR) model (Scott et al. 
2011). As depicted in SCOR, the functions of the supply chain are very broad and 
complex and illustrated in Figure 2. The SCOR model functional aspects are divided into 
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plan, source, make, deliver and logistics (or returned products). All of the processes are 
repetitive and occur during all stages of the supply chain. 




Suppliers Supplier your comoanv Customer Customer's 

supplier ln(err>al or external ^ ^ Internal or external customer 


Figure 2. Supply Chain Operations Reference Functional Aspects of the Supply 
Chain. Source: Supply Chain Council (APICS) (2016). 

The first stage in SCOR is planning (Scott et al. 2011). Based on supply and 
demand triggers, a plan is developed to accommodate the limitations on the availability 
of source good, source production issues, and delivery constraints affecting all entities in 
the chain of processes that move goods. The next stage is to find the right suppliers 
(purchasing or procurement) based on the needs of customers, users, and source. After 
planning and souring is complete, the manufacturing or tailoring of the product 
commences. Once the product is manufactured, it can be delivered. Delivery includes 
warehousing and transportation of goods. Then, the goods are inspected and accepted. 
The final steps in the supply chain are to return products from the customer due to 
unacceptable quality, recycling, or repair. 

The customer-contractor relationship requires flows of information and services. 

The service, product delivery, is the focus of this thesis. The stakeholders in the supply 

chain are the customer (Blue), who is in need of a product for the user, the provider of 

raw materials to the contractor and or subcontractor, and the transporter used to transport 
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all raw and finished material. These relationships are illustrated in Figure 3. The flows of 
information and deliveries are denoted by dotted lines and arrows, respeetively. The 
Souree of Raw Materials eommunieates (dotted lines) with the Transporter and the 
Contraetor, while it uses the Transporter to deliver (arrows) the produet. The Contraetor 
communicates (dotted lines) with all Subcontractors, Transporters, User and Customer. 
The Contractor uses the flow of information to accept deliveries from Subcontractors and 
deliver to the User, at the Customer’s request. The Customer is the liaison between the 
User (requirements and services) with the Contractor. The User uses the Transporter to 
receive delivery or to return products to the Contractor. The User communicates with the 
Transporter, Customer and the Contractor. The flow of information and services within 
the supply chain manages the actions of the supply chain. Control of that information 
determines the effectiveness of the movement of goods. The vast majority of supply 
chains are computer controlled and those computers are vulnerable to cyber-attack. 



Legend 


Figure 3. The Flow of Information and Services within the Supply Chain. 
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For both short-term and long-term thinking, the proeess deeomposition expands 
the SCOR to include processes related to cybersecurity issues. 

Of particular importance to this research are the implications of a catastrophic 
failure of the supply chain. As proposed by Nicholas Taleb (2010), black swan events are 
those that although improbable, with a probability of occurrence of less than 5%, once 
they occur their effects can be catastrophic. These events are labeled as improbable 
because current statistical models have them fall greater than four standard deviations 
outside the normal distribution. Hence, these events are considered as outliers and are 
ignored in all standard risk assessments. These outliers are considered black swans. 


Taleb continues by explaining that most currently used models rely on 
relationships and degrees of uncertainty that may only be effective for short-term 
forecasting, but fall short when trying to explain real word events (2010). These models 
are synonymous to inside the box thinking, where all dynamic aspects of the events in 
question are not considered. The black swan perspective can be applied to long-term 
supply chain vulnerability. A long-term black swan vulnerability, when it occurs, can 
destroy supply chain operations. 


These high-level processes are; 


1.1 “to forecast” 


1.1.1 “receive demand signals” 

1.1.2 “interpret customer demand signals” 

1.1.3 “assess response to demand signals” 

1.1.4 “evaluate responses to demand signals” 

1.2 “to plan” 


1.2.1 “determine the problem” 

1.2.2 “evaluate options for responding to demand signals” 

1.2.2.1 “provide for steady state delivery (with nominal variance)” 

1.2.2.2 “provide for steady state delivery (with surge variance)” 

1.2.2.3 “provide for emergency delivery” 

1.2.3 “identify the risks” 

1.3 “plan reverse logistics” 

1.3.1 “adjust design/architecture” 

1.3.2 “adjust execution/control” 
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1.4 “to determine risk (eombination of likelihood [0 < likelihood < 1] and 
consequence)” 

1.4.1 “do not include black swan events” (termed the short-term view) 

1.4.2 “include black swan events” (termed the long-term view) 

1.5 “to contract” 

1.5.1 “use build-to-order type” 

1.5.2 “use build-to-need type” 

1.5.3 “to pay” 

1.6 “monitor for short-term and long-term views” 

1.6.1 “use short-term operational metrics” 

1.6.2 “use short-term operational metrics” [if critical path time for need 
< net lead times] 

1.7 “relate risk to short-term and long-term views” 

1.7.1 “define black swan type events for each contract type” 

1.7.2 “characterize black swan events into natural and cyber” 

1.8 “support process flows” 

1.8.1 “communicate to stakeholders” 

1.8.2 “coordinate with stakeholders, according to” 

1.8.2.1 “stakeholder intent” 

1.8.2.2 “stakeholder needs” 

Forecasting involves determining the needs of the customer before the supply 
chain planning occurs. Once customer needs have been determined, then the 
manufacturer (Blue) can plan to meet the customer’s needs by specifying how those 
demand signals will be satisfied. The overall plan should include means of satisfying 
normal delivery of goods, including surge request or emergent needs. Reverse logistics is 
the process of making improvements in the supply chain delivery of goods based on 
logistic changes, customer demand signal changes, and product returns. Risk is assessed 
in the supply chain by the determination of likelihood and consequence based on short¬ 
term views (non-black swan events), and then by analyses of short-term views and long¬ 
term views to ascertain black swan events. The analysis requires monitoring and 
assessing for short-term and long-term related issues. Contracting is considered 
separately because it dictates how the demand signal will be met and how much 
flexibility will Blue have to meet the changes in customer’s needs in different scenarios 
(e.g.. Red’s attack). 
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From the short-term and long-term perspeetives, these proeesses are viewed as 
essential for moving goods among the principle stakeholders, (e.g., the source, suppliers 
for source, customer, and user). Each process assumes that any cyber-attack is confined 
individually to the stakeholder that is attacked, without regard for the risk of that 
stakeholder’s involvement with the supply chain (Bowman 2013). 

The number of stakeholders in a “simple” supply chain numbers in the hundreds. 
Referencing the given high level processes, stakeholders and stakeholder types to 
consider include: 

• (ref. 1.1.1) sender of demand signal requires a different, secure channel to 
confirm order; 

• (ref. 1.2.1) who has the problem, what is the genesis of the problem, and 
why is a problem; 

• (ref 1.2.2.3) power company and power distribution company and back-up 
power vendors; 

• (ref 1.3.2) who has indicated that repurposing of goods is necessary so 
that reverse logistics can be confirmed with a different, secure channel; 

• (ref. 1.4) who are involved with formative, causal actions that may lead to 
black swan events; 

• (ref. 1.5.3) banks involved with transfers of funds or access to accounts to 
facilitate transfers of funds; 

• (ref. 1.6) who are responsible for determining the metrics by which to 
monitor metrics for strategies related to short-term or long-term 
perspectives; 

• (ref. 1.7) who are responsible for defining and quantifying black swan 
events, such as solar flares interfering with communications; and 

• (ref. 1.8) attorneys involved with communicating with stakeholders 
regarding computer security policy, and contracts. 

As the thinking transitions from short term to long term, the types and number of 
stakeholders increase due to the addition of seemingly uninvolved stakeholders. For 
example, an intermediary bank might be seen as a stakeholder who could hold up the 
transfer of funds to initiate a contract. 
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Acquisition regulations require that government eontracts and work orders be 
legitimized with transfer of funds. The typieally amount of time for a wire transfer is half 
day for some, three days for most, and up to 15 banking days for settlements of some 
transfers, ineluding international transactions (assuming all banks are “member” banks of 
the U.S. Treasury Department) (FCC 2016). 

C. SUPPLY CHAINS, A NETWORK MODEL 

Based on the teehnologieal advanees in supply ehains and the need to improve 
effieieney and throughput, eonventional supply ehain analysis has evolved into modeling 
supply ehain as networks. A simple depletion of a network is illustrated in Figure 4 (Seott 
et al. 2011). 


Suppliers | 


Supplier 1 Supplier 2 Suppliers 



Customers 


Figure 4. Supply Chain Network Model. Souree: Seott et al. (2011). 

Due to the inereased number of interaetions between a greater number of 
stakeholders, managing the different flows of information, goods, supplies, and 
eomponents, and transform the intereonneetedness of the supply ehain into a network of 
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operational models. This complexity is shown in Figure 5. Where, in a simplified 
depiction, suppliers (squares A, B and C) supply to customer’s demands (circles D, E and 
F) of the network (Goetschalckx 2011). Each channel of flow is indicated by a solid line 
with an arrow showing the direction of flow, with each channel having different capacity 
and limitations. The supplier’s node generates flow and customer’s node consumes flow 
(Goetschalckx 2011). 


Supplies Demands 



Channels 


Figure 5. Complexities in the Supply Chain Network, Multiple Origin and 
Destination. Source: Goetschalckx (2011). 

In the supply chain, the process space is then termed a network model, wherein 
Red may attempt to attack and affect the networks’ critical path in both the short-term 
and long-term views. The critical path determines the time for product delivery, and the 
total of those paths are defined as the longest path (Goetschalckx 2011). Hence, the 
critical path should be identified for short-term operations by Blue to apply their limited 
resources (money and time) in an expeditious manner. From the long-term operational 
perspective, the critical path view of the short-term is not applicable because any path 
could be disrupted. With any massive disruption, it is fair to think of all paths as being 
critical in a massively parallel arrangement and therefore the disruption of one impacts 
the consequences of all paths (Garcez et al. 2003). 
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D. SUPPLY CHAIN INPUTS AND OUTPUTS 


To determine metrics for a supply chain by which management will determine its 
status and state of health, the inputs and outputs are outlined in terms of where and when 
goods flow in the supply chain process model. 

The inputs to Supply Chain Model are: 

• Product Related Inputs 

• type of goods 

• quantity of goods 

• departure location(s) for goods 

• delivery date(s) for departure of goods at departure location(s) 

• delivery location(s) for goods 

• delivery date(s) for goods arriving at location(s) 

• types of packaging for goods 

• Vendor Operations Related Inputs 

• planned Staffing 

• number 

• skills 

• Planned Availability of Equipment 

• planned Maintenance 

• planned efficiency of use 

• Planned Quality Control of Goods and Delivery 

• quantity of goods that failed inspection 

• type of goods that failed inspection 

• Planned Scrap and Rework 

• quantity of goods scrapped 
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• type of goods scrapped 

• quantity of goods reworked 

• type of goods reworked 

• Planned Time Stored (inventoried) 

• type of goods 

• quantity of goods 

The outputs from Supply Chain Model are: 

• Product Related Outputs 

• Goods Delivered 

• type of goods delivered on time 

• quantity of goods delivered on time 

• type of goods delivered on time with visible damage 

• quantity of goods delivered on time with visible damage 

• Goods not Delivered (wrong location (e.g., Shipment errors) 

• type of goods delivered late 

• quantity of goods delivered late 

• delivered late 

• substitute or alternate product delivered 

• wrong part delivered 

• destroyed 

• unaccounted 

• Vendor Operations Related Outputs 

• actual staffing hours direct 
• skill mix of labor 
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hourly rate for mix of labor 


• 

• actual availability of equipment 

• downtime / wait-time for equipment 

• maintenance time 

• actual quality of goods 

• passed / failed inspection 

• actual scrap and rework 

• percentage scrap of types of goods 

• percentage rework of types of goods 

• actual time stored (inventoried) 


E. INITIAL SHORT-TERM BASIC MODEL 

It is assumed that Red’s intent is to introduce some sort of stressor or stimulus 
with ultimate goal of gaining insight of the organization’s internal process that generate a 
particular observable event. In this case it can be assumed that Red has unlimited number 
of resources and is capable of introducing innumerable stimuli and stress on the supply 
chain. This thesis also assumes that the Red is not aware of the internal processes inside 
that control the supply chain. Red is in pursuit of a change of state in a causal variable 
that they can observe. An example of an observable event could be, for example, the 
Stuxnet worm that would automatically update via the Internet. From the Red’s 
perspective, the observable activity was the successful communication from one of the 
computers infected and the subsequent update. The attacks can be numerous and may not 
be predicted. From the perspective of the supply chain attacker, observable events are 
considered to accurately represent the true state of Blue’s operations. Blue is resource 
constrained in time and money, and it will take an innumerable about of resources to 
attempt to enumerate every possible observable that the attacker is monitoring. From 
another perspective. Red may be not be looking for a specific observable, but rather 
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merely looking for what are the observables generated by a specific stress or stimulus 
placed on the supply chain. Blue must then try to identify the process that seems the most 
critical. Initially, a critical process is one in which the mission objective is jeopardized 
when not executed. The model is represented graphically in Figure 6. 


Attack 

Stimuli or Stress 

Attack 1 


Attack 2 


Attack N 



Critical Processes 
Process 1 
Process 2 
Process N 


Inside the Organization, 
not Visible to the Red 


Observables 


Observable 1 
Observable 2 
Observable N 


Feedback 


Figure 6. Illustration of the Multitude of Attacks and Observables to Take into 

Account in the Supply Chain. 


1. Short- and Long-term Views Exemplified 

Short-term effects are those that provoke an immediate reaction to an event that 
has recently occurred. From Blue’s perspective the model in Figure 6 has no feedback 
based on the stimulus to the system. Blue believes that once Red initiates an attack on the 
system, Red has already achieved its goal. Blue then attempts to take corrective action 
from the stimulus, by developing short-term solutions like software patches, hardware 
upgrades and or process improvements. Process improvements may have the capability to 
provide Blue with long-lasting corrective actions. Unfortunately, when most process 
improvements are developed and implemented, they are developed from the perspective 
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of the initial attack and from what Blue believes was Red’s objective. These 
improvements most often do not take into consideration the long-terms effects of Red’s 
attack. 


2. Supplier Induced Risks and Supplier Rating: Assessing Risk Based on 
Selected Metrics 

Supplier induced risks, short-term metrics and the supplier’s rating are explained 

next. 


a. Supply Chain Metrics, Short Term 

In the general case supply chain management is reactive and stagnant. Reactive 
from the sense that problems are addressed only when there is a crisis, and the solutions 
to these problems are short term (Hunter 2012). These short-term approaches lack the 
depth of analysis required to understand the problem. The Under Secretary of Defense for 
Acquisition, Technology, and Logistics defines risk management as “an endeavor that 
begins with requirements formulation and assessment, includes the planning and 
conducting of a technical risk reduction phase if needed, and strongly influences the 
structure of the development and test activities ((DASD[SE] 2015). 

This section discusses the recommended metrics to be used to assess the 
supplier’s risk in the short term. These metrics can be used to determine the short-term 
measures of supplier’s performance. Once the metrics have been identified, then overall 
risk can be assessed qualitatively. Blue must determine low and risk thresholds based on 
the availability of resources. These thresholds are set quantitatively. The purpose of the 
model is to assist Blue in determining the critical processes with high risk. 

According to Hunter (2012), for metrics to be effective they should be; received 
timely (real-time), actionable, focused on vendor’s daily management, comparable to 
similar data packages from vendors and sub-vendors, simple to gather, and shareable. 
Based on this criterion the following metrics are suggested to assess the supplier’s 
effectiveness in the long-term view. 

• on-time shipping rate 
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• on-time delivery of supplier parts from vendor location (Gordon 2008) 

• on-time delivery of supplier parts from sub-vendor (Lee, Park, Shin 2009) 

• quality of delivery to the vendor from sub vendor (Tuncel, Alpan 2010) 

• supply management cost changes (ASD [L&MR] 2016) 

• internal quality of materials and parts (SCOR Model) 

• overtime for supplier (SCOR Model) 

• actual versus planned supplier maintenance hours (SCOR Model) 

• on-time delivery of quality corrective actions to vendor from sub-vendor 
(SCOR Model) 

• quality corrective actions to vendor from sub-vendor (SCOR Model) 

• inventories (Gordon 2008) 

• percentage of expected order that is shipped 

• supply backorders (ASD[L&MR] 2016) 

• repairs and returns (Teller, Kotzab, Grant 2011) 

• shipment errors (Lee, Park, Shin 2009) 

• scrap and rework (Gordon 2008) 

• planned versus actual staffing (SCOR Model) 

A perfectly operating supply chain provides for manufacturing of a sufficiency of 
goods, storage until needed, transfer and delivery of goods according to valid orders to 
correct locations on time. Using the metrics provided, a perfect supply chain would allow 
the supplier to have: a high shipping rate, on time deliveries, high quality products, low 
overtime, equal and planned maintenance hours. An imperfectly operating supply chain 
would not correctly deliver orders on time. An imperfect supply chain is more expensive 
than the defined perfect supply chain. 

The following metrics can be used by Blue to determine the physical and 
cybersecurity responsiveness to attack. From the perspective of short-term thinking, these 
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metrics are lagging indicators of attacks and as such serve to determine how well 
prepared Blue is to deal with changing Red attacks. 


• time to identify attack 

• time attack continued unnoticed 

• time to respond to attack 

• time to respond to susceptibility 

• time to respond to vulnerability 

• time to assess and evaluate vulnerability 

• time to assess and evaluate susceptibility 

• time to implement security fix (cyber or physical) 

• number of related incidents over time (short-term focus on the specifics of 
the immediate attack) 

• types of related incidents over time (long-term focus on the implications 
of short-term attacks) 

From the perspective of long-term thinking, these metrics can suggest the speed in 
which Blue must react surreptitiously to prohibit or lessen a complete collapse of the 
supply chain. 

If in the short term, the time to identify attacks, rectify susceptibilities, and 
decrease vulnerabilities, the long-term risk may increase. The increase occurs because the 
consequences of Red’s attacks may not be assessed. The early inability to detect Red’s 
attacks changes the trajectory of Blue’s response. It is of little solace that new tools are 
being implemented to detected if an attack has occurred (Committee on Oversight and 
Government Reform 2015). However, in the short term, the attacks are identified 
immediately and no data or information is lost, then the long-term risks may decrease. 
The decrease occurs because Red’s attacks are thwarted, and Blue’s system remain s 
unscathed. The counter argument to these increases and decreases is that Blue allows Red 
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to access a controlled portion of supply ehain network, fully knowing that in this 
controlled environment, Red’s attaek ean be monitored and evaluated. 

b. Anatomy of a Cyber-Attack 

Any registered domain (text version of an Internet protoeol (IP) or numeric 
address) on the eolleetion of networks (referred to as the Internet), links eomputers that 
ean access software programs that manage, retrieve, and store information and data. Any 
domain is a target for eyber-attaeks. Aecording to Joe Zott, who help establish the anti¬ 
tamper program at the National Seeurity Ageney, there are three steps to a eyber-attaek— 
learn the target, identify vulnerabilities and suseeptibilities, and plan the attack (Zott 
2008). 

1. Learning the target means to eheek for eommon computer hosts of 
information, data, and executable software; identify the number of hosts 
and IP addresses, (e.g.. Host 208.144.58.14); and the type of protocol 
(active or passive file transfer protoeol, FTP and protoeol to establish a 
remote terminal (telnet)); along with status of eaeh communication ports 
(open/closed). 

2. Identifying vulnerabilities for eaeh server means identifying the state of 
operations and the services and remote proeedures running on the various 
types of communications ports (e.g.. Port: 21) TCP—State: open msrpe 
(Mierosoft remote procedure eall, and Port: 8089/TCP—blacklCE- 
ICEeap, where TCP is the standard Internet transmission eontrol protoeol 
and blaeklCE-ICEoap is anti-haeker software designed to proteet against 
intrusion into enterprise networks). Eaeh service has known and 
exploitable vulnerabilities. The degree of suseeptibility is then determined 
by the amount of aecess gained through sueeessful passwords (for 
example), the level of control that is taken, and the kind of masking that 
will be effective in hiding the intrusion. 

3. Planning the attaek takes advantage of the enterprise arehiteeture, 
vulnerabilities, and suseeptibilities. Gaining aceess to and eontrol of the 
supply ehain enterprise management may be through a supplier, banker, 
insuranee earner, or any number of stakeholders eommonly deemed 
external to the enterprise network. Eaeh of these “external” stakeholders 
are integral to the operations, but not neeessarily on a day-to-day basis. 

Yet, external stakeholders should be considered as part of the internal 
operations of the supply chain computer management system. 
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An often-employed strategy for Red is to interrogate the supply ehain with attacks 
immediately after a security update to find and exploit susceptibilities before the next 
security update. Updates make changes that need to be evaluated in order to continue 
making cyber-attacks. The earlier Red adapts to changes in Blue’s system, the more time 
Red has to adapt and further attack the supply chain. Consequently, Blue needs to be 
most vigilant after security updates. The National Cyber Alert System hosted by the 
Department of Homeland Security offers products for current activity, alerts, bulletins, 
and tips (https://www.us-cert.gov/ncas). 

Planning the attack can be posed as a short-term tactic within a long-term 
strategy. There are typically five reasons for an attack in the short term—ranging from 
profiting from the sale of information to complete destruction of Blue’s enterprise 
capability (Zott 2008). The five broad categories of attacks are: 

• to gain control of a computer(s) to be used for future attacks or to sell 
information to other hackers 

• to obtain information 

• to modify information 

• to obtain service (e.g., to send a fraudulent email) 

• to implement denial of service by flooding bandwidth with messages, 
producing malformed packets, or by corrupting or changing the translation 
of domain name into the IP address. 

Information gained in the short-term can be used in the long-term. 

According to the DOD Risk Management Guide (DASD[SE] 2015), Blue can 
assess each of the suppliers involved with the supply chain by assigning a risk within a 
5x5 matrix made up of five levels of likelihood and five levels of consequence. The 
supplier’s performance is directly related to assessing the results of documented 
performances as collected and characterized as metrics. Table 1 illustrates the 
recommended likelihood criteria and Table 2 indicates the levels of consequence. Both 
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tables are adapted to cyber risk where it is preferred that the probability of occurrence is 
based on systems engineering analyses rather than the opinion of subject matter experts. 


Table 1. DOD Recommended Likelihood Criteria. Source: DASD(SE) (2015). 


Level 

Likelihood 

Probability of Occurrence 

5 

Near Certainty 

> 80% to < 99% 

4 

Highly Likely 

> 60% to < 80% 

3 

Likely 

> 40% to < 60% 

2 

Low Likelihood 

> 20% to < 40% 

1 

Not Likely 

> 1% to < 20% 


The DOD Risk Management Guide stipulates that “programs also consider the 
effect of aggregated risk on a program.” This thesis interprets that DOD guidance as 
considering the long-term perspective as well as the short-term perspective. 
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Table 2. DOD Recommended Structure for Categorizing Consequences. Source: DASD(SE) (2015). 


Level 

Cost 

Schedule 

Performance 

RDT&E 

Procurement 

Operations & 
Maintenance/Sustamment 

5 

Major impact. 10% or greater 
increase over APB d^reshold; or 
>$D. Management reserv^e 
depleted. 

Major impact. Budget or unit 
production cost (e.g., APUC) 
increasing to a significant Xunn- 
McCurdy breach; or increase of more 
dian $XX in programmed dollars 
(POM) 

Costs exceed Kfe cycle ownersh^ 
cost by 10%.. 

Abilit>- to sustain system in 
jeopardy. 

Schedule s% diat requires a major 
schedule re-baseKning; precludes program 
fi'om meeting its .APB schedule objectives 
by more than 6 months; negatw^e float to 
program completion 

Severe degradation precludes system fi'om meeting a 
KPP or key technical supportability threshold; will 
jeopardize program success; design or siqsportabilin' 
margins exceeded; unable to meet mission objectives 
(defined in mission flireads, ConOps, OMS 'MP) 

4 

Significant impact. 5%-<10% 
increase over APB threshold; or 
$C-^D. Requires use of 
significant management reserves. 

Significant impact. Costs that driv^e a 
unit production cost (e.g., APL'C) 
increasing to an .APB threshold 
breach of $C - < $D; or increase of 
$A'Y-XX in programmed dollars 
(POM) 

Costs driv’e increase of more than 
2 % over program’s lifecycle cost 
estimate; costs driv-e program to 
exceedHfe cycle ownership cost 
KS.A. 

Significanth' impacts abilit\' to meet 
planned milestones and or odier key dates. 
Established acquisition decision points or 
milestones will be delayed, impacting .APB 
schedule objectives by less than 6 months. 

Slip puts funding at risk; <5% float to 
major milestones or program completion 

Significant degradation impairs abilit\' to meet a 

KS.A; Technical design or supportabilit\' margin 
exhausted in key areas; able to meet one or more 
mission tasks . (defined in mission threads, ConOps, 
OMS MP); w’orkarounds roqt^ed to meet mission 
objecth’es 

3 

Moderate impact. 3% -<5% 
increase over APB dareshold; or 
$B - < $C; manageable with 
reserv^es; inabiHt>' to meet key 
cost metrics 

Moderate impact. Costs that drive 
unit production cost (e.g., .APUC) 
increase of $B -< $C; or $ZZ-YA’ in 
programmed dollars (POM);inabilit>' 
to meet key cost metrics 

Costs drive increase of y - z% 
over program’s lifecycle cost 
estimate or within 2% of life 
cycle ownership cost KS.A; 
inability to meet key cost metrics 

Minor schedule sKp, able to meet key 
milestones. Total program float decreased 
by X-Y% with float remaining poskiv'e, 
but nearh' consumed; <10% float to major 
milestones or program completion; 
inability to meet key schedule metrics 

Moderate reduction in technical performance or 
supportabilit\', unable to meet lower tier attributes 
(e.g. P.As); planned design or supportability margins 
reduced; inabilitv' to meet key TPMs, CTPs;. 
Workarounds required to achieve mission tasks 
(defined in mission threads, ConOps, OMS 'MP) 

2 

Minor impact. 1%- <3% increase 
over APB threshold; or $A- < 

$B; exceeding cost metrics 
tripwires 

Minor impact. Costs diat drive unit 
production cost (e.g., APUC) increase 
of $.A-< $B; or $AA-ZZ in 
programmed dollars (POM); 
exceeding cost metrics tripwires 

Costs drive increase of x- y% 
over program’s lifecycle cost 
estimate; exceeding cost metrics 
tripwires 

.Able to meet key dates. Total program 
float decreased by less than X%, widi 10% 
or greater positive float remaining.; 
exceeding schedule metrics tripwires 

Nfinor reduction in technical performance or 
supportabilit>'; can be tolerated with little or no 
impact on program oliqectives. Design margins will 
be reduced, but within limits tradespace; exceeding 
key TPMs, CTPs tripwires 

1 

Minimal impact. <1% increase 
over APB direshold; or <$A. 

Costs expected to meet approved 
funding levels, not projected to 
increase above thresholds 

Minimal impact. Costs that driv’e 

APUC increase of < $A ; or less than 
$-AA in programmed dollars (POM). 
Costs expected to meet approved 
funding levels, not projected to 
increase above thresholds 

Costs drive increase of :^x% 
over program’s Hfecycle cost 
estimate. 

\finimal or no schedule impact. 

\finimal or no consequences to meeting technical 
performance or si^ortabiliU’ requirements. Design 
margins will be met; margin to planned tr^wires. 
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Low risk is assigned to a supplier’s score less than a predetermined low-risk 
threshold. Medium risk is assigned to a supplier’s score within the low- and high-risk 
thresholds. Finally, high risk is assigned to a supplier whose score is higher than the 
predetermined high-risk threshold. 

The consequences of the short-term attack can be structured in the format shown 
in the DOD Risk Management Guide. Table 3 illustrates the adaptation of the DOD 
categorization of consequences. 


Table 3. Adaptation of the DOD Categorization of Consequences. Adapted 

from DASD(SE) (2015). 


Short-term Consequences 

Level 

Function 

Performance Consequence 

Schedule 

1 

Produce goods 

- wrong parts ordered from vendor 

- no parts ordered from vendor 

- parts ordered from wrong vendor 

Short-term duration 


Manufacture goods 

- no electricity 

- labor shortage (illness, labor strife, civil 
unrest) 



Store goods 

- parts/goods put into wrong location 

- retrieved wrong parts from right location 



Ship goods 

- goods loaded into wrong transport vehicle 




- vehicles do not arrive (no request received, 
sent to wrong location, sent at a different 
time than requested) 



Receive goods 

- wrong parts (misidentified, or wrong) 

- insufficient number 



When only a few goods or parts fall into the performance consequences indicated 
in Table 3, with a brief interruption in schedule of delivery for the supply chain, the 
user’s activities may be minimally affected. A level 1 risk is indicated for these cyber- 
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attacks since the eritieality of delivery typieally involves routine work-arounds. As the 
number of eonsequenees inereases, the user may experience greater impaets from the 
malfunetioning supply chain. The short-term view may be several “small” impacts that 
are not eonsidered remarkable in and of themselves. As the number of problems in the 
supply ehain inerease and the eonsequenees inerease, the eategories of severity inereases 
and the risks inerease. 

From the cyberseeurity and supply ehain perspeetive, cost will be dependent on 
the level of researeh needed to develop, produee and/or operate, maintain and sustain new 
software and/or hardware. Sehedule impaets depend on the effeets of eyberseeurity on the 
sehedule of delivery of aequisition milestones, deeision points and program completion. 
The level of performanee is degraded when the eyberseeurity affeets the teehnieal 
performanee of hardware or software at is relates to eustomer requirements. The eoneepts 
of eost, sehedule, and performanee ean be tailored to the eyberseeurity situation where 
the supply ehain is moving goods during several types of situations. For example, 
“normal supply” for supporting mission’s operations; and “eritieal supply” during 
emergeneies will provide Red with operational situations and response to typical 
problems. A normal supply situation is one whieh the supplier supports the user’s need as 
required by the customer (Blue). The eritieal supply seenario oeeurs either when the user 
requires immediate delivery of a product due to emergency repairs or beeause the supply 
ehain was not able to deliver as required. 

Now assume that a short-term attaek is meant for Red to aceomplish one or more 
of the following (in order): 

1. Discover the servers that partieipate in Blue supply ehain 

2. Learn the names of the servers and their assoeiated passwords to gain 
aceess 

3. Map the arehiteeture of the servers 

4. Identify the partieipants 

5. Identify the routing of messages to transfer goods 
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From the supply chain perspective, assume that Blue wants to assess the risk on 
Red’s ability to discover the servers in Blue’s supply chain (Risk #1) and learn server 
names and passwords (Risk #2). Based on this information, Blue assumes that based on 
historical data and current security protocols, and determines that Risk #1 and #2 have a 
probability of occurrence of 65% and 35%, respectively. Based on these probabilities and 
using Table 2, then. Risk #1 and #2, have a risk likelihood level 4 and 2, respectively. 
These results are highlighted on Table 4. 


Table 4. Likelihood Criteria for Risk #1 and #2. 

Adapted from DASD(SE) (2015). 


Level 

Likelihood 

Probability of 
Occurrence 

Risk 

5 

Near Certainty 

> 80% to < 99% 


4 

Highly Likely 

> 60% to < 80% 

#1 

3 

Likely 

> 40% to < 60% 


2 

Low Likelihood 

> 20% to < 40% 

#2 

1 

Not Likely 

> 1% to < 20% 



Blue assesses the consequences for Risk #1 and #2 based on the impact on cost, 
schedule and performance. Risk #1 and #2 have major and minor impact, respectively. If 
the server name and passwords are compromised (Risk #1), the resulting impact will 
critically affect the cost of repair, delivery schedules and the subsequent ability to make 
future deliveries. If the server locations are compromised (Risk #2), Blue assumes that 
the overall impact is minor since knowing the server location may have a minor impact 
on cost (server’s Internet protocol (IP) address can be changed), schedule (changing the 
IP address may take a couple of hours) and performance (little to no effect on the delivery 
of goods and services). A summary of those results are illustrated on Table 5. In 
summary Risk #I has a likelihood of level 2 and consequence of level 5. The same 
methodology can be applied to Risk #2, which has a likelihood of level 2 and 
consequence of level 2. 
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Table 5. Consequence Criteria for Risk #1 and #2. 

Adapted from DASD(SE) (2015). 


Level 

Cost 

Schedule 

Performance 

Risk 

5 

Major Impact 

Major Impact 

Major Impact 

#1 

4 

Significant Impact 

Significant Impact 

Significant Impact 


3 

Moderate Impact 

Moderate Impact 

Moderate Impact 


2 

Minor Impact 

Minor Impact 

Minor Impact 

#2 

1 

Minimal Impact 

Minimal Impact 

Minimal Impact 



Once Blue has determined mitigating measures for all identified risks, then the 
likelihood and consequence can be recorded in Risk Register for traceability of risks and 
their associated rating (DASD[SE] 2015), as shown in Table 6. Blue assessed that based 
on their risk strategy, the likelihood of Risk # 1 and #2 occurring is reduced to level 3 and 
1, respectively. Eikelihood is indicated as an E, and consequence as a C in Table 6. 


Table 6. Supplier Risk Levels Based on Quantitative Metric Performance. 

Adapted from DASD(SE) (2015). 


OwTter 

of 

Risk 

Statns 

Tier 

Risk Trent 

LUccUhood, 

Coa»«|ueace 

Risk RandKng 

Riak 

(deufified 

Thile 

Risk. 

Approve 

Dalle 

Flaaued 

Cour« 

Dade 

Tanseled 

Kek 

RalaiX 

Plan 

John 

Smiih 

Technical 

Open 

n 

Server name 
and 

passwords 

arc 

compromised 

U=5C=5 

Miiigaiion - 
Utilize strong 
password 
authentication 

10.02/16 

11/12/16 

12/12/16 

L=4 

C=5 

On 

Schedule 

Jane 

Smith 

Technical 

Open 

1 

Discover the 
servers in 
Blue’s 
supply chain 

b=2C=2 

Mitigation 
change 
intranet IP 

atldrcs'a'rs 
every 30 days 

10/12/16 

11/12/16 

12/12/16 

L=1 

0=2 

On 

Schedule 


Once improvements are put in place, based on assessed corrective actions. Blue 
can use the same metrics to determine the effectiveness of these improvements. The 
model may also be used to compare critical processes and determine which process 
improvement is most effective under limited resources. 
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III. LONG-TERM SUPPLY CHAIN VULNERABILITY 


The topic of long-term success for a supply chain is predicated on having 
measured, quick responses to cyber-attacks that are effective in sustaining a near- 
perfectly operating supply chain. User and mission are neither impacted by the responses 
to the cyber-attacks nor by the solutions that are implemented. Knowing what to do and 
how to overcome the problems derive from the experiences offered by the portending 
events exposed during the short-term cyber-attacks. The approach of preparing for a 
black swan event is rooted in these short-term cyber-attacks. 

There would seem to be no expeditious way to prepare for a completely 
dysfunctional supply chain other than to have all of the required parts for any use at the 
right location all the time. The practical nature of providing all parts at the right location 
all the time is near-impossible to determine for all future events and likely prohibitively 
expensive. Preparing for a black swan event is rightly considered as an integral part of the 
long-term perspective. Rather than predicting the consequences of uncertainty, the DOD 
risk framework combines with the functional nature of the supply chain to afford a view 
of the vulnerabilities to cyber-attack. The short-term breakdowns in the supply chain 
provide the basis for fixing system problems in the supply chain architecture. The 
functional description of “to manufacture,” “to store,” “to move,” “to accept” provides a 
description of how cyber-attacks can disrupt each function, labelled “consequence” 
(Table 3 from Chapter II). The short-term risk differs from the long-term risk, thereby the 
mix and match of the short-term cyber-attacks can be modeled into combinations that 
degrade the supply chain functions for a long-term black swan event. To prepare for the 
black swan, what needs to be fixed in the supply chain needs to be broken in the short 
term or anticipated to be broken in the short term. Through the functional perspective 
used in systems engineering, there is no need to predict uncertainty. When a portion of 
the supply chain is broken, it needs to be fixed in concert with the survival of the whole 
supply chain, not just the portion that was broken. 
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A. LONG-TERM VIEWS—A BLACK SWAN EVENT: THE IMPACTS OF 

IMPROBABLE EVENTS 

Uncertainty in information and data concerning the vulnerability of a supply chain 
to cyber-attacks results in decision risk, operational risk, programmatic risk, and technical 
risk (Ullman 2009). Uncertainty in managing the outcomes of directing and controlling a 
supply chain depend on measuring the functional performance against the short-term and 
long-term metrics, while taking into account any uncertainty in forecasts or assessing 
risks. The concept of risk can be thought of as a continuous function, with probability 
distribution functions providing a convenient mapping between intervals of possible 
events and probabilities or likelihood of occurrence. The basis of risk is the uncertainty in 
the variables that are causal to the events that we fear for loss or injury—for this research, 
the functional architecture that makes the supply chain vulnerable to cyber-attacks. 

Anna Orlik and Laura Veldkamp, writing for the U.S. National Bureau of 
Economic Research (Orlik and Veldkamp 2014) showed that significant fluctuations in 
uncertainty can be seen in the Gross Domestic Product data from 1947 to 1968— 
indicative of black swan events. Black swan events are detectable in the skewness of a 
distribution (Orlik and Veldkamp 2014). The probability distribution functions used by 
professional forecasters are traditionally symmetrical (Gaussian). Gaussian mathematics 
is straightforward and supported by readily available statistical software, making the 
calculations within the reach of forecasters. However, the probability distribution 
functions derived from the quarterly economic data were asymmetrical (i.e., non- 
Gaussian). Orlik and Veldkamp showed that by separating the parameter updating from 
the skewness the uncertainty rose with each stressor in the economy (i.e., caused by each 
economic recession). That uncertainty was strongly correlated with the defined event, the 
black swan. Upsurges in uncertainty were shown to correspond with probability of “long 
taif’ events, as expressed by increases in skewness (Taleb 2010; Orlik and Veldkamp 
2015) over that of non-stressor imbued data. 

Causes of increased uncertainties arise in managing a supply chain include 
overrunning budgets (causes misunderstood), missing delivery milestones (causes 
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ascribed incorrectly), insufficiency of skilled personnel (inadequate management 
eommunieations), ineffective proeess eontrols, and vulnerability to cyber-attacks, for 
example. In general, any aetion that impacts the linear nature of scheduling activities, 
commensurate with budgetary and functional performances, leads to non-linear effeets 
that increase the likelihood of uncertainty. Yet, none of these listed items are blaek 
swans. 

B. LONG-TERM PROCEDURES AND MODEL 

Refereneing the short-term model. Red’s intent is to introduce a stressor or 
stimulus to gain insight of the Blue’s internal proeess and computer operations that 
generate particular observables. Observables that are visible within the organization and 
ean be discerned through the exchange of eommunieations on the computer network(s), 
and those observables that ean be deteeted externally are feedbacks that Red requires to 
learn about the effeetiveness of eyber-attaeks. That is to say, if Red did not receive 
feedback as to the effectiveness of their cyber-attacks, then the impacts on the supply 
chain many not be discemable, and Red may change their attack schemas. 

In summary. Blue assumes that Red has unlimited number of resources is capable 
of introducing innumerable stimuli and stresses to interrogate the supply ehain. The stress 
or stimulus triggers an internal proeess that produces an observable event, and Blue’s 
internal process inside the supply chain may or may not be seen by Red. For example, the 
long-term objective for Red in Stuxnet was to take eontrol of the digital eomputers used 
for plant’s automation. Red’s focus was to increase the speed to the centrifuges to cause 
mission failure, due to several short-term stresses on the system (e.g., infeeting one of the 
plant’s computers operating system to multiply the Stuxnet worm and reaeh across 
multiple computers in the long-term). The long-term objective for Blue is to then try to 
identify the processes that seem to be most critical. Criticality can usually be found in a 
few proeesses or in an aggregation of well-time failures that freeze operations of the 
supply ehain. The long-term model is represented graphically in Figure 7. 
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Feedback N 


Figure 7. Long-term Model Illustration of the Multitude of Attacks and 

Observables on the Supply Chain. 

For long-term objectives. Red will generate one attack (Attack 1) on the system 
that eventually causes Blue to respond and cause an external observable (Observable 1). 
Observable 1 is monitored and fed back (Feedback 1) to Red. Red in turn generates 
subsequent attacks (in series, parallel, single or simultaneous) denoted as Attack N, 
which generates an Observable N, and fed back N number of times. The process 
continues where Blue may not notice the interrelation between the attacks. At a future 
time. Red decides to initiate all or a series of attacks to attain an effect (black swan) to 
causing mission degradation. Notice the difference in the feedback loop in the long-term 
versus short-term objectives. For long-term objectives, the feedback provides the initial 
conditions for the next attack. The short-term objectives, offer feedback to provide 
observable events for Red, it ends there. From Blue’s perspective the multiple attacks 
may not be related. 

The final impact on Blue in the long term is that the supply chain process ceases 

to function as a perfect supply chain. In order to restart the flow of goods and parts 
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through the supply chain, it may require new sources of equipment and new acquisitions, 
since the existing suppliers may not be able to deliver when designated. 


C. SOURCES OF UNCERTAINTY 

Orlik and Veldkamp define a black swan event as one that exhibits uncertainty 
fluctuations, caused by “time-varying risk of unobserved tail events” (Orlik and 
Veldkamp 2015, 2), in other words a “conditional probability of a rare event” (2015, 4). 
These “tailed” events related to the thickness of the expected distribution tails, also 
known as skewness. Such fluctuations assume that the true distribution of supply chain 
vulnerabilities occur as unknowns. The significant contribution of Orlik and Veldkamp 
was to explain large fluctuations in uncertainty as due to changes in the likelihood of 
events that were distributed far from the mean of the data. Through a careful analysis of 
the causes of statistical significance, Orlik and Veldkamp discovered, it was not changes 
in the variance in the data that was the culprit, but an associated risk with black swans. 
“Thus, everyday fluctuations in a data series can produce large fluctuations in conditional 
variance for an agent who is constantly re-estimating the tails of the distribution,” (Orlik 
and Veldkamp 2015, 1). 

For black swan events, as defined by Orlik and Veldkamp, uncertainty (Uit) is the 
variance of the expected value of the expected metric recorded data point (yt+i) at time 
t+l minus the forecasted metric expected value E(yt+i|Iit) given new information (ft) 
(2015). The equation for Uit is shown in Figure 13. 



Figure 8. Uncertainty. Source: Orlik, Veldkamp (2015). 


The forecasted metric value yt+iUu is defined as the probability of the next data 
point (yt+i) given the new information received changed the perception (/,>), where the 
growth yt+i is for all information captured through each period of time t. 
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Volatility (V,) is defined as variance of uncertainty, taking into consideration that 
unexpected data value collected (yt). The forecasting Model (V/) has a vector of 
parameters (0). Every M has agent /’s information in set Ut that incorporates the volatility 
based on history y\ the Model M, and the parameters 6. The equation for Vt is shown in 
Figure 14. 


Vt = 



{yt+i - E[yt+i\y^,e,M]) 




Figure 9. Volatility. Source: Orlik, Veldkamp (2015). 


The square of uncertainty is equal to the expected squared forecast error (Orlik, 
Veldkamp 2015, 9). There are six traditional strategies for the Model M forecasting 
model to manage the movement of goods through the supply chain, termed (Perez 2013): 

• efficient supply chain model—driven by customer demand with outbound 
logistics to maintain inventory in transit to satisfy surge needs. 

• fast supply chain model—geared for short life-cycle products with 
production of goods scheduled in batches. 

• continuous-flow supply chain model—relies on stability in supply and 
demand to provide for a steady flow of goods, with little variation in the 
same set of goods. 

• agile supply chain model—driven by customer for goods with unique 
specifications, often stimulated by unpredictable demand, and resulting in 
excess goods in the supply chain. 

• custom-configured supply chain model—driven by the a high ratio of cost 
of assets to the total cost of the totality of the supply chain because of the 
high-degree of configurability of goods to satisfy a mix-and-match 
requirement that varies from user to user. 

• flexible supply chain model—structured to deliver goods with demands 
that cannot be forecasted, resulting in delays for deliveries, periods of high 
volume work and low volume work, and noted for responding to 
unexpected situations. 
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While customers may want to have all six strategies at least possible within their 
supply chain architecture, the agglomerated result will offer no one strategy in an 
optimized fashion, with some strategies found to be distinctly underperforming (Perez 
2013). 

Without choosing a specific model for this thesis, the model for the efficient 
supply chain is examined to investigate long-term issues resulting from cyber-attacks. 

D. LONG-TERM METRICS 

The equation for volatility (Vt) is used to set thresholds for each event that stress 
the supply chain. The following metrics can be used by Blue to determine the physical 
and cybersecurity responsiveness to an attack. These metrics are forecasting/leading 
indicators of attacks. Attacks on the supply chain that lead to overall catastrophic supply 
chain failures (e.g., communication malfunctions, delivery of wrong goods to various 
locations, and consequences indicated in the short-term consequence table) can be 
measured as follows: 

• percent of correct goods that leave on time 

• percent of correct delivery of goods at proper location 

• percent of goods damaged in transit 

• percent of goods that are missing from inventory 

• estimated time to restore communications problems 

• estimated time to locate missing goods 

• estimated number of wrong parts that might be delivered 

• probability of misled decisions 

• estimated degree of effectiveness in carrying out proper analysis and 
evaluation of supply chain problems (i.e., status of activities if multiple 
functional failures occur) 

As with the short-term consequences, the long-term attack can be structured 

similarly in the format shown in the DOD Risk Management Guide. Table 7 illustrates 

the adaptation of the DOD categorization of long-term consequences. For long-term 
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effects, there is combination of events from multiple functions. For example, multiple 
unrelated parts from multiple vendors do not arrive when critically needed, and multiple 
unrelated labor shortage (illness, labor strife, civil unrest) occur at multiple locations at 
the same time causing mission failure. The term “unrelated” implies that Blue is not 
aware of the implications of the event nor does not find the correlation in the events. The 
likelihood for long-term problems is shown in Table 8. 


Table 7. Adaptation of the DOD Categorization of 
Consequences for Long-term. Adapted from DASD(SE) (2015). 



Long-term Consequenees 


Level 

Funetion 

Performanee Consequenee 

Sehedule 

Seale the 
eonsequenees 
from 5 (high) to 

1 (low) as the 
situation is 
assessed as 
ehanging from 
the short-term 
perspeetive 

Produee goods 

Manufaeture goods 

Store goods 

Ship goods 

Reeeive goods 

Multiple unrelated parts: 

- from multiple vendors don’t arrive 
when eritieally needed. 

- from multiple vendor are not 
ordered 

- ordered from wrong multiple 
vendors 

Multiple unrelated: 

- eleetrieal faults generate power 
failure at multiple loeations in the 
supply ehain 

- labor shortage (illness, labor strife, 
eivil unrest) oeeur at multiple 
loeations 

Multiple unrelated: 

-parts/goods put into wrong loeations 

- retrieved wrong parts from right 
loeations 

- Multiple unrelated goods loaded 
into wrong transport vehieles from 
different vendors 

Multiple unrelated: 

-vehieles do not arrive (no request 
reeeived, sent to wrong loeation, 
sent at a different time than 
requested) 

- wrong parts (misidentified, or 
wrong) reeeived 

- insuffieient number reeeived 

Long-term duration 
(e.g.. Mission failure) 
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From the supply chain perspective, Blue determines that a problem is detected in 
the type of goods that are planned to be transited to a location with an urgent need. This 
behavior has been observed before and Red is suspected to be perpetrating a cyber-attack 
(Risk #1). Subsequently, communications is lost with another user (also an infrequent 
event) (Risk #2). The temporal proximity of the two risks is cause for suspicion and an 
analysis of the long-term consequences is initiated. Based on this information. Blue 
assumes that the historical data and current security protocols are undermined by a cyber¬ 
attack and further that Risk #1 and #2 have a probability of occurrence of 75% and 80%, 
respectively. Based on these probabilities and using Table 1, then. Risk #1 and #2, both 
have a risk likelihood of level 4. Appropriate, planned actions are then taken by Blue to 
continue transiting appropriate goods to proper locations. These results are highlighted in 
Table 9. 


Table 8. Likelihood Criteria for Risk #1 and #2. 

Adapted from DASD(SE). (2015). 


Level 

Likelihood 

Probability of 
Occurrence 

Risk 

5 

Near Certainty 

> 80% to < 99% 


4 

Highly Likely 

> 60% to < 80% 

#1,#2 

3 

Likely 

> 40% to < 60% 


2 

Low Likelihood 

> 20% to < 40% 


1 

Not Likely 

> 1% to < 20% 



Blue assesses the consequences for Risk #1 and #2 based on the impact on cost, 
schedule and performance. Risk #1 and #2 have a combined significant impact. A 
summary of those results are illustrated in Table 10. In summary Risk #1 has a likelihood 
and consequence level of 4 and 5 respectively, then L=4 and C=4. The same 
methodology an be applied to Risk #2, which has a likelihood and consequence of L=4 
and C=4. 
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Table 9. Consequence Criteria for Risk #1 and #2. 

Adapted from DASD(SE). (2015). 


Level 

Cost 

Schedule 

Performance 

Risk 

5 

Major Impact 

Major Impact 

Major Impact 


4 

Significant Impact 

Significant Impact 

Significant Impact 

#I,#2 

3 

Moderate Impact 

Moderate Impact 

Moderate Impact 


2 

Minor Impact 

Minor Impact 

Minor Impact 


1 

Minimal Impact 

Minimal Impact 

Minimal Impact 



Once Blue has determined mitigating measures for all identified risks, then the 
likelihood and consequence can be recorded in Risk Register (Table 10) for traceability 
of risks and their associated rating (DASD[SE] 2015). Blue assessed that based on their 
risk strategy, the likelihood of Risk # 1 and #2 occurring is reduced to level 3 and 1, 
respectively. 


Table 10. Risk Register for Traceability of Risks and Their Associated Rating. 

Adapted from DASD(SE) (2015). 


Owner 

Type of 

Risk 

Status 

Her 

Risk Event 

likelihood, 

Coasequence 

Risk Handling 

Risk 

Identified 

Date 

Risk 

Approval 

Date 

Planned 

Course 

Date 

Targeted 

Risk 

Ratint 

Flan 

John 

Smith 

Technical 

Open 

11 

Server name 
and 

passwords 

arc 

compromised 

L=5C=5 

Mitigation - 
Uliliiu; strong 
password 
authentication 

10/12/16 

11/12/16 

12/12/16 

L=4 

C=5 

On 

Schedule 

Jane 

Smith 

Technical 

Open 

1 

Discover the 
servers in 
Blue’s 
supply chain 

L=2C=2 

Mitigation - 
change 
intranet IP 
addresses 

every 30 days 

10/12/16 

11/12/16 

12/12/16 

L=1 

C=2 

On 

Schedule 
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IV. CONCLUSION AND RECOMMENDATIONS 


A life-cycle approach to successful supply chain vulnerability assessment 
includes in-depth analysis of both short-term and long-term metrics. Short-term views 
may be used as mitigation factors and to conduct immediate corrective actions to address 
a found vulnerability. Unfortunately, these short-term actions may fall short in attempting 
to determine or even assess what are or could be Red’s long-term objectives. Red’s long¬ 
term objectives may not be driven by the immediate rewards of the short-term attack, but 
rather to collect information to be used in the future. At the time of the short-term attack. 
Red may not explicitly know what is its long-term objective, but may be formulating it as 
they progress though short-term cyber-attacks. But when the time comes in the future, 
where Blue’s mission degradation is needed. Red may trigger a series of attacks. 

Short-term responsiveness to cyber-attacks on supply chains can be boosted by 
identifying the thresholds on long-term effects, black swan events can be postulated from 
the metrics for short-term cyber-attacks. Since long-term dangers of black swan events 
are meant to destroy supply chain effectiveness for a critical period, the types of black 
swan events identified in this thesis are meant to be combinations of the short-term 
problems typically faced during cyber-attacks. 

The black swan events can be identified by mapping the short-term metrics (e.g., 
percentage of expected order that is shipped, repairs and returns or scrap and rework) into 
long-term metrics (combinations of expected order that is shipped, repairs and returns, 
and scrap and rework). In other words, various short-term metrics need to be monitored 
by Blue to be interpreted as an attack to intentionally deceive and achieve a long-term 
objective. Deceive by Red with short-term cyber-attacks; Blue believed there was no 
problem in shipping items. Blue was confident that all fixes from the short-term cyber¬ 
attacks were effective. However, Red had inserted sophisticated software code, that when 
activated in the future, would force Blue to ship all items to wrong locations. Therefore, 
all parts will be missing. 
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Long-term views must eonsider the short-term metries and how a eombination of 
those metries may provide the big pieture of what will be the black swan event (Red’s 
long-term objective). Blue must use the tools and metrics provided in this thesis to 
together with external process, organizational audits, and health assessments to attempt to 
identify those long-term black swan events. The idealization of a supply chain black swan 
caused by Red, posed as the premise of this thesis, substantiates the notion that short-term 
cyber-attacks can indeed be considered as precursors for long-term problems. 

Further areas of study include the application of the ideas presented in this study 
to develop a strategy to increase black swan awareness for network supply chains. A 
study of the cyber-attack scenarios for operational supply chains is recommended. 
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APPENDIX. OTHER SHORT-TERM VULNERABILITY 
MANAGEMENT ERAMEWORKS AND INITIATIVES 


The following are current initiatives dealing with the cybersecurity threat and are 
derived in support of Executive Order 13636 (2013). These initiatives help validate how 
federal and private entities are addressing the cybersecurity threat as it relates to the 
vulnerability analysis presented in the previous section. Although the list provided is not 
exhaustive, these initiatives were chosen because of their relevancy to this study. These 
include federal, both civilian and DOD, as well as commercial frameworks and initiatives 
to support the president’s cyber initiative. 

A. DEPARTMENT OF DEFENSE AND OTHER INITIATIVES 

1. Department of Defense Initiative 

As promulgated by the DOD’s FY 2016 Chief Information Officer, the top 
information-technology priorities include modernizing networks, sharing with mission 
partners, reducing DOD information-technology costs, defending against cyber-attacks, 
managing DOD data, empowering mobile data access, and maximizing spectrum of 
access (DOD 2016). This document is the overarching strategy that enables the needed 
changes in the DOD’s cybersecurity, as required by Executive Order 13636 3 C.F.R. 

2. United States Computer Emergency Readiness Team 

The goal of the United States Computer Emergency Readiness Team (US-CERT), 
under the Department of Homeland Security, is to provide the means to share cyber threat 
vulnerabilities and manage cyber risk (United States Computer Emergency Readiness 
Team [US-CERT] 2016). US-CERT (2016) recommends this be accomplished by 
establishing an Internet operations center (https://www.us-cert.gov) that is open 24 hours 
a day, seven days a week, and responds to incidents, provides technical assistance, and 
posts recent vulnerabilities. 
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3. Supply Chain Risk Management Practices for Federal Information 
Systems and Organizations (NIST SP 800-161) 

The National Institute of Standards and Teehnology (NIST 2015) in Supply Chain 
Risk Management Praetiees for Federal Information Systems and Organizations (NIST 
SP 800-I6I), has provided guidanee to federal ageneies for “identifying, assessing, 
seleeting and implementing risk management proeess and mitigating eontrols” (2). This 
doeument addresses the risks in the supply ehain by enumerating the threats and 
vulnerabilities and by analyzing the likelihoods of these threats exploiting the 
vulnerabilities and, hence, determining the degree of harm (NIST 2015). 

4. Guide for Applying the Risk Management Framework to Federal 
Information Systems: A Security Life-Cycle Approach (NIST SP BOO¬ 
ST) 

The purpose of the Guide for Applying the Risk Management Framework to 
Federal Information Systems: A Security Life-Cycle Approach (NIST SP 800-37) is to 
provide procedures for applying risk management to cyber systems (NIST 2010). The 
instruction applies the principles from the aforementioned NIST SP 800-I6I. 

5. Managing Information Security Risk Organization, Mission, and 
Information System View (NIST SP 800-39) 

The purpose of Managing Information Security Risk (NIST SP 800-39) is to 
establish minimum required guidelines to address the management of information 
systems and their environment (NIST 2011). The author of this publication used tiers of 
risk management to address risk at all levels. NIST (2011) defines the tiers as 
organization, mission process, and information-system level and employs a feedback loop 
to pursue continuous improvement. This was accomplished by framing, assessing, 
responding, and monitoring risk in ways similar to the seven-step approach by Zsidisin 
and Richie (2008) and DOD Risk, Issue, and Opportunity Management Guide for 
Defense Acquisition Programs (DASD[SE]) 2015). Unfortunately, analysis falls short 
when assessment of the risk is limited to organizational response and does not account for 
long-term objectives. 
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6. Cybersecurity Instruction for the DOD (DODI 8500.01) 

The Department of Defense (2014a) published guidanee in DOD Instruetion 
(DODI) 8500.01, entitled Cybersecurity, to establish a program to defend and protect the 
department’s information and information technology. This instruction charges the DOD 
with “implement[ing] a multi-layered cybersecurity risk management” (DOD 2014a, 2). 
This is accomplished by considering the threats to information systems, making an 
assignment to a service component’s cybersecurity program, addressing risks as early as 
possible in the system’s life-cycle, and making documentation intra-available to promote 
exchange of similar information between entities (2014a). This document reiterates the 
importance of having resilient systems that are integrated and interoperable. 

DODI 8500.01 uses the same tiers of risk management illustrated in the 
aforementioned NIST (2011) special publication Managing Information Security Risk, 
Organization, Mission, and Information System View (NIST SP 800-39). NIST SP 800- 
39 has precedence. 

7. Risk Management Framework for DOD Information Technology 
(DODI 8510.01) 

The Risk Management Framework for DOD Information Technology, DODI 
8510.01, applies to the entire DOD with the intention of establishing “an integrated 
enterprise-wide structure for cybersecurity risk management” by implementing NIST SP 
800-39 (DOD 2014b, 2). The instruction accomplishes this by identifying, implementing, 
assessing, and managing cybersecurity capabilities in six steps. The six steps comprise 
categorizing, selecting, implementing, assessing, authorizing, and monitoring (DOD 
2014b). This process parallels the system life-cycle with risk-management framework 
activities. 

The main disadvantage of this approach is that step one, categorizing, bounds the 
problem to what the information owner identifies as impacting confidentiality, integrity, 
and availability. Although enumerating the risks this early in the process is better than no 
plan at all, bounding the problem too early may limit the discovery of possible threats. 
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This methodology does not account for long-term views external to the system being 
analyzed. 


8. Microsoft’s White Papers 

Two white papers by Microsoft Corporation, Cyber Supply Chain Risk 
Management: Toward a Global Vision of Transparency and Trust (2011) and Toward a 
Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity (2014) 
offer a commercial-sector perspective on supply chain risk and its relationship to 
information and communication systems. The white papers conform to International 
Organization for Standardization (ISO) 31000 (risk management principles and 
guidance), a programmatic risk-management process accomplished by conducting risk 
identification, analysis, and evaluation (Microsoft 2014). ISO 31000 accomplishes this by 
having a business model perform risk assessment in six phases: planning, discovery, 
assessment, development, validation, and implementation. During the planning phase, the 
objectives, scope, and approach of the assessment are defined (Microsoft 2014). 

The discovery phase identifies broad classes of threats to software integrity and 
attempts to recognize the detailed control activities. The white papers by Microsoft 
(2011; 2014) also state that during assessment and development, the company identifies 
and documents control categories related to the threats found during discovery. In the 
subsequent step, the control requirements are met based on a particular group of 
discovered threats. The result is proposed software integrity policies and procedures, 
leading to the last phase implementation (Microsoft 2014). 

B. CYBER SUPPLY CHAIN VULNERABILITIES 

This section explains some of the factors that can be considered vulnerabilities in 
the cyber supply chain. 

I. Malicious Insertion to Software and Hardware 

Malicious code can be inserted at any time during the software’s life-cycle. The 
problem can expand further through the software’s exposure to hardware parts, firmware. 
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other software, and insider threats. One of the biggest problems in developing today’s 
eomputerized and network systems is determining vulnerability aspects of the hardware 
parts affected—the answers to who, what, where, when, and how. This problem becomes 
even more complex when, for example, one country assembles a computer whose parts 
come from multiple countries. Software and firmware, hereafter referred to as software, 
may also be susceptible to this problem. 

2. Contractual Agreements and Hiring Policies 

Most if not all of the software and hardware delivered to program managers are 
outsourced to contractors. Not all contractors are created equal. Depending on the 
project’s contract, the project managers do not usually have control of the contractor’s 
hiring policies. It should be understood that contractors might also be susceptible to one 
or more of the issues illustrated in the following sections, which add to the complexity of 
system evaluation and vulnerability assessment. 

3. Global Network for Parts and Services 

In today’s cost-prohibitive environment, many organizations resort to outsourcing 
manufactured parts from all over the globe. By doing this, organizations are able to 
produce more parts and services at lower prices. Unfortunately, a computer system that 
the program manager think s was developed by a U.S. contractor and assembled in the 
United States may have been built with parts manufactured elsewhere. When it comes to 
the program manager’s assessment of the system’s vulnerabilities, it may become time- 
and cost-prohibitive to assess the vulnerabilities of all parts and services. In addition, due 
to the complexity of systems, it is nearly impossible to assess 100 percent of the system 
before it is distributed. 

4. Lines of Code 

Most software developed for today’s complex environment and organizational 
needs may contain millions of lines of code. These lines of code provide a set of 
instructions to perform designed actions. These actions could turn pumps on or off in an 
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oil or gas pipeline when the system reaehes a eertain pressure, for example. The more 
eomplex a system’s features, the more lines of code are required to perform those 
functions. When program managers face deadlines, assessing all potential software 
vulnerabilities present in the code becomes time consuming. 

5. Recycled Code 

In order to save money and time, some software developers recycle code from 
internal or external sources. This is a widely used practice, especially when some systems 
require millions of lines of code. Some of the recycled code is available as subroutines 
that perform lower-system functions. For example, during the development of code for 
turning a computer on and starting the operating system, the use of a subroutine may be 
used to conduct the handshake between the system’s basic input/output system, which 
loads and starts and loads the operating system. The potential vulnerabilities inherent 
with this practice are analogous to acquiring hardware parts from multiple sources 

6. Different Coding Languages 

Not all software is coded in the same language, not all software languages are 
structured the same way, and not all languages present the same level of vulnerabilities. 
The program manager has limited resources and expertise to assess the multitude of 
software coding that a particular system may have. 

7. Proprietary Code and Features 

Some contractual agreements make it nearly impossible for the program manager 
to reverse-engineer the software delivered and assess for vulnerabilities. In other words, 
if an independent coder cannot access and read the lines of software code, the 
vulnerabilities go unanalyzed. The program manager must be able to understand the 
vulnerabilities involved with this practice. Although he or she may have transferred the 
risk to the contractor, the program manager is ultimately responsible to deliver a system 
on time, within budget, and with the agreed design capabilities. If the system does not 
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operate as intended, the overall system’s eapability may be affeeted, thus eausing mission 
failure or degradation. 


8. Insertion during the Life-cycle Process 

After the software or hardware has been delivered to the program manager and 
has been tested, assessed, and fielded, the system eode will most likely be updated and 
upgraded during its life-eycle. The upgrades and updates may oeeur either to enhanee 
funetionality or to fix other problems that were not found after the system’s delivery. The 
same rigor must be applied to assess vulnerabilities in the software updates and hardware 
upgrades as when the system was initially developed. 

9. Insider Threat 

The program manager must be aware of the possibility of malieious insertion due 
to insider threats in the form of users or teehnieians either deliberately or out of 
ignoranee. This ean be aeeomplished by, for example, installing unauthorized software, 
opening a malieious email, or by introdueing vulnerability through an external media 
plug-in to the system. The user may leave the system vulnerable if elear proeedures are 
not delineated for proper use and maintenanee. 

10. Compatibility with Other Systems 

Most eomplex systems are intereonneeted and are integrated as part of a system of 
systems, and some vulnerability can be introduced through inconsistencies or 
incompatibility (e.g., out-of-date software) issues between them. For example, system A 
is integrated with system B, but system B has vulnerability and compatibility issues with 
newer systems. The performance issues of system B can affect the performance and 
operation of system A, thus introducing a vulnerability. 

C. PROBLEMS DUE TO CYBER THREATS: WHY ARE THEY SO 

HARD TO FIGHT? 

Conventional supply chain vulnerability analysis may not be entirely effective 
against cyber threat. This is because the cyber threat introduces vulnerabilities that are 
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dynamic, unlimited, and without available data. The following seetion summarizes why a 
different approaeh is needed to understand and mitigate the cyber threat. 

1. Dynamic Boundary Conditions 

Aceording to Clemente (2011), the cyber problem is resistant to a solution 
because the infiltrating agents and methods are ever changing; this adds difficulty and 
complexity. 

Cyber-attackers evolve intelligently and quickly, and the eomplexity and 
interconneetedness of information systems, as well as the number of vulnerabilities, are 
evolving at a faster paee. The cyber threats and terrain shift continuously, hence, 
ehanging the boundary conditions (Larsen et al. 2014). 

2. Unable to Enumerate All Attacks 

Conventional supply chain vulnerability analysis requires that attaeks be 
enumerated. Enumeration of all possible attacks not feasible in cyber when resourees are 
limited. A program manager may claim that all possible vulnerabilities due to cyber has 
been aecounted for, but as stated by Larsen et al. (2014), this is impossible as 
vulnerabilities eannot be mitigated if the details of their existenee are unknown. Known 
vulnerabilities can be doeumented, monitored, assessed and mitigated. 

3. Unable to Assign Likelihoods for Adverse Events 

Likelihoods are the probabilistic means of determining whether an event will occur 
and are usually quantitative (Larsen et al. 2014). Moreover, as the authors indicate, the 
process of assigning likelihoods requires that risks be enumerated. Unfortunately, data for 
quantitative analysis is unavailable beeause of confidentiality agreements or risks that have 
yet to be identified. As stated by Larsen et al. (2014), if there is not data to be analyzed, it is 
nearly impossible to assess likelihoods via statistieal models or by qualitative means. 

Cyber risks are tied to the probability of finding the adverse oceurrences that may 
not be found by statistieal or probabilistic models; these risks are under the direet 
infiuenee of intelligent, persistent, and well-resoureed adversaries (Bishop 2003). 
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